Mozilla Follows Google in Losing Trust in Entrust's TLS Certificates (theregister.com) 14
Mozilla is following in Google Chrome's footsteps in officially distrusting Entrust as a root certificate authority (CA) following what it says was a protracted period of compliance failures. From a report: A little over a month ago, Google was the first to make the bold step of dropping Entrust as a CA, saying it noted a "pattern of concerning behaviors" from the company. Entrust has apologized to Google, Mozilla, and the wider web community, outlining its plans to regain the trust of browsers, but these appear to be unsatisfactory to both Google and Mozilla.
In an email shared by Mozilla's Ben Wilson on Wednesday, the root store manager said the decision wasn't taken lightly, but equally Entrust's response to Mozilla's concerns didn't inspire confidence that the situation would materially change for the better. "Mozilla previously requested that Entrust provide a detailed report on these recent incidents and their root causes, an evaluation of Entrust's recent actions in light of their previous commitments given in the aftermath of similarly serious incidents in 2020, and a proposal for how Entrust will re-establish Mozilla's and the community's trust," said Wilson.
In an email shared by Mozilla's Ben Wilson on Wednesday, the root store manager said the decision wasn't taken lightly, but equally Entrust's response to Mozilla's concerns didn't inspire confidence that the situation would materially change for the better. "Mozilla previously requested that Entrust provide a detailed report on these recent incidents and their root causes, an evaluation of Entrust's recent actions in light of their previous commitments given in the aftermath of similarly serious incidents in 2020, and a proposal for how Entrust will re-establish Mozilla's and the community's trust," said Wilson.
ConClownCarCo Enterprise Security Solutions (Score:5, Interesting)
Re:ConClownCarCo Enterprise Security Solutions (Score:4, Informative)
Re:ConClownCarCo Enterprise Security Solutions (Score:5, Interesting)
Even the ones which are well-known tend to be if-fy. I worked in physical security (key cards, cameras, alarms, that stuff) and was sent on an emergency service call to Verisign's offices in Olympia, WA. They weren't our regular customer, but their normal provider didn't have anyone available so they called us. What I found there was appalling, including one door from the building lobby that had no alarm, no access control, no camera, but went directly into their supposedly "secure" area, which people used to block open when they took a smoke break. I got their system back up and then documented what I had found in my quick look-around and handed it to the salescritters. Verisign's reply was, "We'll be moving to a different building in a year or two, we'll call you for a bid on the new place." Three years later I was back there on another service call and things were still the same. Lost any respect that I might have had for certificate authorities right there.
Re: (Score:3)
Three years later I was back there on another service call and things were still the same. Lost any respect that I might have had for certificate authorities right there.
The only certs worth trusting are the ones you install yourself. Of course, those are the least trusted of all by your devices and the hardest to get applications to use.
The TLS cert system has never been trustworthy. It's just the initial keying provider for most people's encryption. (Which should give people nightmares....)
Re: (Score:1)
Re:the sum of all human effort (Score:5, Interesting)
"the best we can come up with is just to trust someone...."
Just how to you propose to do things if you *don't* trust anybody at all? Even so-called "zero-trust" is just "you have to prove who you are, and then we'll trust you if you're somebody we've decided to trust."
Re: (Score:3)
But one time pads are so inconvenient...
It really depends on what you mean by "best". There *are* alternatives. They're just less convenient. (One may fairly wonder why they haven't become more convenient.)
Re: (Score:2)
Because, by it's nature, a one-time pad means you have to securely deliver a key that's the same size as your data. You haven't solved the problem, you've only shifted it. Now, depending on your situation, shifting the problem to somewhere more convenient may be good enough. But a lot of the time it's
Why is everybody LARPing... (Score:4, Interesting)
...as if this wasn't an already solved issue? Entrust already has a new partner they will temporarily offload their processes to, a partner Google and the rest have accepted, while they continue on the plan to improve their internal process that too was shown to and accepted by Google and the rest.
Ohhh OK, just so everyone knows.. (Score:2)
Apparently there's more than one important member of the CA/B Forum that gets to call the shots.
Re: (Score:3)
Oh, you mean like the one that tried to force DigiCert to invalidate 83,000 TLS certs with just 18 hours notice because they were missing a freaking underscore character in their CNAME validation DNS record? Yeah, I'd be OK if those jerks got kicked out.
Re: (Score:3)
Kicking Entrust out after four years of shenanigans but Digicert after one day?
It appears that Digicert cowered and screwed their customers. I know of one site that's been down for three days because the staff didn't know about some complex signing chain that involved a government entity.
Though I don't know what I don't know. For instance if Digicert ignored this warning for years and then somebody got tough.
But I know of another place that is moving all of their DV to LetsEncrypt after this fiasco.
There mu
Re: (Score:2)
I haven't noticed 'competency' being a core value in the executive suites for the last several decades, "access", contacts, personality, media attention, and brown-nosing all seem to be more important. I think Lee Iaccoca set the expectations for competency in a CEO pretty low, as long as you can claim credit for your underling's hard work and foist blame for failures back down the food chain you're golden.